Xentrk
Part of the Furniture
That is now urban legend from what I understand. You should be fine.Ok I'll do that. Only got my Asus a week ago and don't want to wear the flash too quickly!
That is now urban legend from what I understand. You should be fine.Ok I'll do that. Only got my Asus a week ago and don't want to wear the flash too quickly!
Correct. In a prior discussion this week, Merlin stated that changes to the Administration-System page will cause this behavior.ANother stupid question, on the wiki, it mentions:
Code:# Reinstate the ipset rules if they have been created already [ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set' for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do case $ipSet in AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;; TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;; MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;; *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;; esac done
Is it a good idea to use this as a matter of course, in case I change anything in the UI?
Ah yes. I think the caveat is high volume activity files. Best to put those on USB drives.Ah OK, I read it here: https://github.com/RMerl/asuswrt-merlin/wiki/JFFS
I would get a smaller usb drive and use it for this purpose and plug it into the USB2 port. Keep the other one for client backups or as a poor man NAS solution.Yes been reading plenty and got a few scripts going. Didn't know if writing out to the Blacklist would constitute high volume activity. I have a 500gb USB HDD plugged in, may reformat it to ext4 using this guide: http://www.algissalys.com/how-to/format-and-partition-usb-asuswrt-routers, with an additional 3rd partition of 2GB to store script outputs.
ANother stupid question, on the wiki, it mentions:
Code:# Reinstate the ipset rules if they have been created already [ "$(uname -m)" = "mips" ] && MATCH_SET='--set' || MATCH_SET='--match-set' for ipSet in $(ipset -L | sed -n '/^Name:/s/^.* //p'); do case $ipSet in AcceptList) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j ACCEPT;; TorNodes|BlockedCountries|CustomBlock) iptables-save | grep -q "$ipSet" || iptables -I INPUT -m set $MATCH_SET $ipSet src -j DROP;; MicrosoftSpyServers) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet dst -j DROP;; *) iptables-save | grep -q "$ipSet" || iptables -I FORWARD -m set $MATCH_SET $ipSet src,dst -j DROP;; esac done
Is it a good idea to use this as a matter of course, in case I change anything in the UI?
root@router:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 28277 v3.05 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
Summary Blacklist: 40627 Successful blocks! ( 125 IPs currently banned - 652 added since: May 4 11:06 ), Entries auto-expire after 168:00:00 hrs
(HackerPorts.sh): 28352 v2.02 Hacker Port attacks Report starting.....
Thu May 4 22:16:02 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 19:43:04 - May 4 22:16:02
Top 3 Ports attacked:
Top 3 attackers:
Last 3 most recent attackers:
...successful blocks and banned some IP, but hacker ports report is empty.
Thank you for your help.Code:root@router:/jffs/scripts# ./IPSET_Block.sh (IPSET_Block.sh): 28277 v3.05 2016-2017 Martineau, Dynamic IPSET Blacklist banning request..... Summary Blacklist: 40627 Successful blocks! ( 125 IPs currently banned - 652 added since: May 4 11:06 ), Entries auto-expire after 168:00:00 hrs (HackerPorts.sh): 28352 v2.02 Hacker Port attacks Report starting..... Thu May 4 22:16:02 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 4 19:43:04 - May 4 22:16:02 Top 3 Ports attacked: Top 3 attackers: Last 3 most recent attackers:
iptables -V
iptables -S logdrop
iptables --line -nvL logdrop
iptables -S Blacklist
iptables --line -nvL Blacklist
iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block "
iptables -S Blacklist
iptables --line -nvL Blacklist
grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l
grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l
./IPSET_Block.sh
You deserve a lot of thanks. In fact, I would send you a PayPal donation if you let me know how. I really appreciate the script and the support you provide on the forum.I don't think any deserve any thanks given my rubbish script!
We all love your script and effort to help people.I don't think any deserve any thanks given my rubbish script!
I don't think any deserve any thanks given my rubbish script!
ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017
root@rooter:/tmp/home/root# iptables -V
iptables v1.4.14
root@rooter:/tmp/home/root# iptables -S Blacklist
-N Blacklist
-A Blacklist -m state --state NEW -j SET --add-set Blacklist src
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
-A Blacklist -m state --state NEW -j LOG --log-prefix "Block "
root@rooter:/tmp/home/root# iptables --line -nvL Blacklist
Chain Blacklist (4 references)
num pkts bytes target prot opt in out source destination
1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src
2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
3 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
4 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 1 level 4 prefix "Block "
5 38 19589 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 0 level 4 prefix "Block "
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence --log-tcp-options --log-ip-options
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block " --log-tcp-sequence
root@rooter:/tmp/home/root# iptables -A Blacklist -m state --state NEW -j LOG --log-prefix "Block "root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l
0
root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l
0
root@rooter:/tmp/home/root# cd /jffs/scripts
root@rooter:/jffs/scripts# ./IPSET_Block.sh
(IPSET_Block.sh): 19491 v3.05 [emoji767] 2016-2017 Martineau, Dynamic IPSET Blacklist banning request.....
Summary Blacklist: 60321 Successful blocks! ( 777 IPs currently banned - 762 added since: May 4 22:16 ), Entries auto-expire after 168:00:00 hrs
(HackerPorts.sh): 19566 v2.02 Hacker Port attacks Report starting.....
Fri May 5 11:14:22 DST 2017 Statistics: Total Unique Ports attacked: 0 (out of 0 attempts) tracked using SYSLOG between May 5 10:04:53 - May 5 11:14:22
Top 3 Ports attacked:
Top 3 attackers:
Last 3 most recent attackers:
[\code]
Sent from my ONE A2003 using Tapatalk
OK, I really appreciate you taking the time to assist in debugging.Please find below my output and please share your thoughts.
Code:"root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" | wc -l 0 root@rooter:/tmp/home/root# grep -E "Block IN=$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*SEQ" | wc -l 0
Chain Blacklist (4 references)
num pkts bytes target prot opt in out source destination
1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src
2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
tail /tmp/syslog.log
grep -E "Block.*" /tmp/syslog.log | tail
ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017
root@rooter:/tmp/home/root# tail /tmp/syslog.log
May 5 12:38:14 kernel: Block IN=ppp0 OUT= MAC= SRC=190.175.29.142 DST=79.115.188.148 LEN=40 TOS=0x14 PREC=0x00 TTL=45 ID=43374 PROTO=TCP SPT=3802 DPT=22 WINDOW=38691 RES=0x00 SYN URGP=0
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:17 dropbear[32579]: Child connection from 10.8.0.2:52705
May 5 12:38:18 dropbear[32579]: Password auth succeeded for 'stoic' from 10.8.0.2:52705
root@rooter:/tmp/home/root# grep -E "Block IN=" /tmp/syslog.log | tail
May 5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:42 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
May 5 12:38:45 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556
Thanks. Please find below the output step 2:
Code:ASUSWRT-Merlin RT-AC88U 380.65-2 Fri Mar 10 05:31:41 UTC 2017 root@rooter:/tmp/home/root# tail /tmp/syslog.log May 5 12:38:14 kernel: Block IN=ppp0 OUT= MAC= SRC=190.175.29.142 DST=79.115.188.148 LEN=40 TOS=0x14 PREC=0x00 TTL=45 ID=43374 PROTO=TCP SPT=3802 DPT=22 WINDOW=38691 RES=0x00 SYN URGP=0 May 5 12:38:16 kernel: Block IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:78:24:af:7f:f1:8c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 <snip>
iptables --line -nvL Blacklist
Chain Blacklist (4 references)
num pkts bytes target prot opt in out source destination
1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src
2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
3 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block "
4 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 1 level 4 prefix "Block "
5 38 19589 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 0 level 4 prefix "Block
iptables -D Blacklist 5
iptables -D Blacklist 4
iptables -D Blacklist 3
grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" \
change to
grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*[A-Z]" \
Yes. I edited line 157 in HackerPorts.sh and deleted d iptables. Here it is:It appears the issue is with parsing the syslog lines on your system.
Unfortunately I don't get a correct report when attempting to parse the lines of Syslog you provided, but this may be simply because of the 3 LOG rules that were temporarily added.
Can you delete rules 5,4 and 3 from the Blacklist chain ?
Code:iptables --line -nvL Blacklist Chain Blacklist (4 references) num pkts bytes target prot opt in out source destination 1 12215 5948K SET all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW add-set Blacklist src 2 12215 5948K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block " 3 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix "Block " 4 39 20165 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 1 level 4 prefix "Block " 5 38 19589 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 0 level 4 prefix "Block iptables -D Blacklist 5 iptables -D Blacklist 4 iptables -D Blacklist 3
...then patch LINE:157 in the HackerPorts.sh script: (basically text string \SEQ is replaced by [A-Z] )
Code:grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*\SEQ" \ change to grep -E "[DROP IN=|Block IN=]$(nvram get wan0_ifname)" /tmp/syslog.log | grep -oE "SRC.*DPT=.*[A-Z]" \
and retry the report ?
root@rooter:/jffs/scripts# iptables -D Blacklist 5
root@rooter:/jffs/scripts# iptables -D Blacklist 4
root@rooter:/jffs/scripts# iptables -D Blacklist 3
root@rooter:/jffs/scripts# ./HackerPorts.sh
(HackerPorts.sh): 27736 v2.02 Hacker Port attacks Report starting.....
Fri May 5 15:36:20 DST 2017 Statistics: Total Unique Ports attacked: 1 (out of 429 attempts) tracked using SYSLOG between May 5 15:21:19 - May 5 15:36:20
Top 10 Ports attacked:
429 http://www.speedguide.net/port.php?port=67 e.g. https://dnsquery.org/ipwhois/0.0.0.0
Top 10 attackers:
1 https://dnsquery.org/ipwhois/0.0.0.0
Last 10 most recent attackers:
https://dnsquery.org/ipwhois/0.0.0.0
(HackerPorts.sh): 27736 v2.02 Hacker Port attacks Report starting.....
Fri May 5 15:36:20 DST 2017 Statistics: Total Unique Ports attacked: 1 (out of 429 attempts) tracked using SYSLOG between May 5 15:21:19 - May 5 15:36:20
Top 10 Ports attacked:
429 http://www.speedguide.net/port.php?port=67 e.g. https://dnsquery.org/ipwhois/0.0.0.0
Top 10 attackers:
1 https://dnsquery.org/ipwhois/0.0.0.0
Last 10 most recent attackers:
https://dnsquery.org/ipwhois/0.0.0.0
[/code]
Seems to be changed. But get ip 0.0.0.0
# WAN only or ALL interfaces BRx / tun1x etc. ?
#if [ $WAN_ONLY ];then
#iptables -I INPUT $RULENO -i $(nvram get wan0_ifname) -m state --state INVALID -j Blacklist # WAN only
#else
iptables -I INPUT $RULENO -m state --state INVALID -j Blacklist # ALL interfaces
#fi
head -n $TOPX $LOGFILE".tmp" | sort -nr >> $LOGFILE.new
change to
sort -nr $LOGFILE".tmp" | head -n $TOPX >> $LOGFILE.new
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
How I can dynamically manage VPN director rules list by CLI | Asuswrt-Merlin | 0 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!